In May 2016, the National Institute of Standards and Technology (NIST) published a guideline recommending the depreciation of SMS authentication as a second factor for strong authentication.

Many news outlets and security blogs have discussed the issue since then, expressing vastly different takes on the matter. I decided to ask two IBM authentication experts, Dustin Hoff and Ashish Malhotra, for their recommendations.

IBM Experts Weigh In on SMS Authentication

Question: Let’s level set on the basics — what is an SMS one-time password (OTP)?

Malhotra: In SMS-based two-factor authentication (2FA), a user must confirm the intended login or transaction by entering an OTP sent to their mobile phone — typically, a four- to eight-digit numerical code. This authentication method was once believed to protect against man-in-the-middle (MitM) attacks until security professionals realized that text messages can be intercepted by fraudsters just as easily.

How can a SMS OTP be compromised?

Malhotra: If a mobile phone is compromised because its user unwittingly downloaded malware onto it, a fraudster can simply command the malware to monitor text messages, including those containing OTPs, on that phone. Many phones are susceptible to Trojans like Zeus, Zitmo, Citadel and Perkele, which leverage open access to SMS on mobile phones specifically to intercept OTPs.

Many of these Trojans are targeting SMS OTPs, mobile SIM swaps, SIM clones, number porting attacks, fake caller ID and call forwarding scams operated by dishonest customer service representatives at mobile carriers. All of these exploit insecure SMS networks and erode misplaced trust in the channel.

Watch the on-Demand Webinar: Five Steps to Overcome Customer Authentication Chaos

What about for users whose phones haven’t been corrupted by malware? Is SMS OTP safe then?

Malhotra: The security of SMS authentication relies on the security of cellular networks, and with the attacks against Global System for Mobile Communications (GSM) and 3G networks, the confidentiality of text messages cannot be assured. Since encryption is not applied to short message transmission by default, messages could be intercepted and snooped during transmission, even if the receiving device wasn’t infected by malware.

In addition, SMS messages are stored as plaintext by the short message service center (SMSC) before they are successfully delivered to the intended recipient. These messages could be viewed or amended by users in the SMSC who have access to the messaging system. Spying programs such as FlexiSpy enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis.

How are companies reacting to these threats?

Hoff: Despite these security issues, using SMS OTP as a second factor is still better than simply relying on the username/password combo. For this reason, most companies haven’t urgently migrated to other authentication methods.

However, I would expect this migration to take place over time. As smart devices become more and more ubiquitous, myriad new authentication methods will become available. From push-to-approve to biometrics, such as fingerprint scans, retina scans or even voice recognition, safer and more convenient choices will make it easy to do away with SMS OTP.

Malhotra: If we look at companies worldwide, we see that different geographies are at different stages of the authentication journey. South Africa was one of the first markets to move wholesale to SMS OTPs. Today, a large majority of banks there have dropped them in favor of safer, more convenient out-of-band authentication solutions centered on the mobile phone. European banks are fast dropping the technology, too. The technology is still very prevalent in North America, though we see that changing little by little.

Many banks, apps and other consumer-facing services use SMS OTP as a second factor. What’s a private consumer to do?

Hoff: As an end user of secure online services, you can immediately take a few steps to help protect yourself.

To start, you should ensure that you follow strong password guidelines and enable two-factor authentication on all services that support it, including Google, Apple and many others. While this sounds easy, you would be surprised to find how many people don’t take this seemingly simple step.

Next, check to see if your service provider offers alternatives to SMS authentication that you can start using today. For example, many services use a solution like the Google Authenticator that relies on open standards for secure OTPs. Other providers, such as Apple, have more recently started offering OTPs via push notification in order to bypass SMS delivery. There are also multiple vendors that sell relatively low-cost, standards-based, bring-your-own-authenticator hardware tokens, which can provide extra security for a variety of online services.

Finally, regardless of your chosen multifactor authentication method, ensure that you follow good mobile security practices.

What about enterprise use cases? What’s the right authentication strategy for employees, partners, contractors or even customers?

Hoff: As service providers and enterprises, you must also consider the NIST recommendations as part of your larger IAM and online security strategy. Changes may have a large impact to your users and could require additional investment, so it is important to take a thoughtful approach.

To start, remember that SMS-based two-factor authentication is still better than traditional usernames/passwords. Billions of SMS messages are exchanged each day, and while only a fraction of these are OTPs, the system is not going away overnight.

Looking ahead, it’s a good idea to understand the risk associated with different segments of your user population. For example, high-volume users on an online marketplace might be more valuable to your service and therefore pose a greater risk to your business if they are compromised. Once you understand the risk levels associated with different user segments, you can prioritize the implementation of newer, more secure authentication mechanisms.

The third step is to investigate innovations and new technologies for authentication and web access management solutions. While there is no silver bullet, vendors continue to add new functionality in this space to help enterprises and end users alike secure their online activity.

To learn more, watch the on-demand webinar, “Five Steps to Overcome Customer Authentication Chaos.”

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read